Our article on IoT and open source licensing, which Aaron Williamson co-wrote with Kate Downing, was recently published in the December/January 2023 issue of Landslide, the magazine of the American Bar Association's Intellectual Property Law Section. In it, Aaron and Kate discuss how to manage compliance with open source licenses when launching an IoT device.
“Internet of Things” (IoT) devices—from Amazon Echos and Fitbits to the sensors that power smart cities—all contain embedded software. Most are built on the open source Linux operating system and contain dozens (or hundreds) of open source applications and software libraries. These open source components do everything from supporting the most basic functions of the device, to providing the framework for the graphic interface you see when you log on to the device.
IoT device makers don’t cobble all of this OSS together themselves. Typically, they source their embedded computing hardware (or key portions of it) from OEM hardware producers or system integrators, and these hardware suppliers provide a basic operating system for them. The device maker will then typically add their own custom software to provide user-facing functionality.
The many OSS components in an IoT device are all subject to copyright, and sometimes to patents as well.  They are made available subject to open source licenses that govern the reproduction, modification, and distribution of the software. The device maker must therefore comply with the licenses for all OSS embedded in its product, even if that OSS originates from a supplier, because it distributes all that third-party software every time it ships a product.
The presence of third-party OSS in an IoT device means that device makers must:
- (A) understand the terms of OSS licenses and assess whether they can comply with those terms;
- (B) provide end users the compliance materials required by the OSS licenses applicable to their products, including (1) copyright notices and license information for each OSS component and (2) source code for certain OSS components where required by the OSS license;
- (C) invest in the open source management tools, processes, and policies necessary to meet all these challenges comprehensively and efficiently; and
- (D) take steps to ensure that their suppliers provide them with the information necessary to enable them to fulfill their OSS-related obligations.
 Some third-party components or OSS subcomponents commonly used by IoT devices are dedicated by their authors to the public domain rather than released under an OSS license and are free for general use.
 Reciprocal licenses are also referred to as “copyleft” licenses (by supporters) or “viral” licenses (by detractors).